Search Over 30,000 FREE Plugins from the Official WordPress Plugin Directory Repository

BulletProof Security

WordPress Website Security Protection: Firewall Security, Login Security, Database Security... Effective, Reliable, Easy to use...

BulletProof Security Feature Highlights

  • One-Click Setup Wizard
  • .htaccess Website Security Protection (Firewalls)
  • Hidden Plugin Folders|Files Cron (HPF)
  • Login Security & Monitoring
  • Idle Session Logout (ISL)
  • Auth Cookie Expiration (ACE)
  • DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
  • DB Backup Logging
  • DB Table Prefix Changer
  • Security Logging
  • HTTP Error Logging
  • FrontEnd|BackEnd Maintenance Mode
  • UI Theme Skin Changer (3 Theme Skins)
  • Extensive System Info

BulletProof Security Pro Feature Highlights

  • One-Click Setup Wizard
  • AutoRestore Intrusion Detection & Prevention System (ARQ IDPS)
  • Quarantine Intrusion Detection & Prevention System (ARQ IDPS)
  • Real-time File Monitor (IDPS)
  • DB Monitor Intrusion Detection System (IDS)
  • DB Diff Tool: data comparison tool
  • DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
  • DB Status & Info: extensive database status & info
  • Plugin Firewall (IP Firewall): Automated Whitelisting & IP Address Updating in Real Time
  • JTC Anti-Spam|Anti-Hacker
  • Uploads Folder Anti-Exploit Guard (UAEG)
  • .htaccess Website Security Protection (Firewalls)
  • Hidden Plugin Folders|Files Cron (HPF)
  • Custom php.ini Website Security
  • Login Security & Monitoring w/Dashboard Alerting|Status Display & additional options/features
  • Idle Session Logout (ISL)
  • Auth Cookie Expiration (ACE)
  • F-Lock: Read Only File Locking
  • FrontEnd|BackEnd Maintenance Mode
  • Security Logging
  • HTTP Error Logging
  • PHP Error Logging
  • DB Monitor Logging
  • DB Backup Logging
  • DB Table Prefix Changer
  • AutoRestore|Quarantine Logging
  • S-Monitor: Monitoring & Alerting Core
  • Pro Tools: 16 mini-plugins
  • Heads Up Dashboard Status Display
  • UI Theme Skin Changer (3 Theme Skins)
  • Extensive System Info
  • View All BulletProof Security Pro Feature Details

BulletProof Security Installation and Setup Video Tutorial

BulletProof Security Recommended Video Tutorials

Why .htaccess Website Security So Much Better Than Other Types of Website Security

The answer is very simple - .htaccess files (distributed Server configuration files) are processed by your server first before any other code on your website. In other words, hackers malicious scripts are stopped by BulletProof Security .htaccess files/Firewalls before those scripts even have a chance to reach the php code in WordPress.

BulletProof Security Additional Website Security Protection

WordPress is already very secure, but every website, no matter what type of platform it is built on should have additional website security measures in place as a standard.

BulletProof Security is Website Performance Optimized (Performance|Optimization)

Website performance is just as important as website security. BulletProof Security is website performance optimized with website owners best interests at heart. BulletProof Security does NOT abuse the WordPress Database by making excessive MySQL Queries. BulletProof Security does NOT store excessive & non-essential data in your WordPress Database. BulletProof Security does NOT use excessive Server Memory & Resources. BulletProof Security does NOT use any gimmicks or bells & whistles that will cost website owners their website performance. The benefits of having website security protection are negated if your website is performing poorly/slowly, continually experiencing out of memory errors/running out of memory, database size growing exponentially with non-essential stored data, etc. BulletProof Security can actually speed up & improve your website performance by using the Speed Boost Cache Bonus Code. See the BulletProof Security Bonus Custom Code help section below.

htaccess Core Website Security (Security|Firewalls)

View BulletProof Security Feature Details

WordPress Website Security Protection: BulletProof Security protects your website against 100,000's of different hacking attempts/attacks. The .htaccess security filters in BulletProof Security are designed to match malicious and nuisance attack patterns. The most important benefits of using a finite pattern matching method vs infinite banning/blocking individual IP's, Host's, Referer's, etc. is that your website performance and Server resources are not negatively impacted. In general, BulletProof Security takes an "Action Approach" to website security. Hacker X, Spammer X, Bad Bot X does bad Action Y = Forbidden/Blocked. An "Action Approach" is a much more effective and performance optimized approach to website security since the bad action itself is being blocked/forbidden instead of attempting to block an individual hacker/spammer that performed a bad action. Example: BulletProof Security blocks all SQL Injection hacking attempts/attacks no matter who performed that SQL Injection hacking attempt/attack. See the BulletProof Security Login Security & Monitoring Features section for additional features and options. See the BulletProof Security htaccess Core (Firewalls, etc.) Features section for additional features and options.

Hidden Plugin Folders|Files Cron (HPF) (Security|Monitoring)

View BulletProof Security Feature Details

The HPF Cron checks the WordPress /plugins/ folder for hidden or empty plugin folders and any non-standard WP files or altered files in the /plugins/ folder. If a hidden or empty plugin folder or non-standard WP file is found in the WordPress /plugins/ folder, BPS displays a Dashboard Alert and sends an Email Alert. A hidden or empty plugin folder is a plugin the exists in your /plugins/ folder, but is not displayed on the WordPress Plugins page. A hidden plugin can be used as a hacker backdoor to gain access to your WP Dashboard, hosting account, create user accounts, completely control your website and hosting account, etc. A non-standard WP file or modified/altered file in your /plugins/ folder can also do all of the things a hidden plugin can do.

Login Security & Monitoring Website Security (Security|Monitoring)

View BulletProof Security Feature Details

Login Security & Login Monitoring: Log All User Account Logins or Log Only User Account Lockouts (see Screenshot). Brute Force Login Security Protection. Email alerting options allow you to choose 5 different email alerting options: Choose to have email alerts sent when a User Account is locked out, An Administrator Logs in, An Administrator Logs in and when a User Account is locked out, Any User logs in and when a User Account is locked out or Do Not Send Email Alerts. Choose Standard WP Error Messages or Generic Error Messages for Login Security Stealth Mode. Choose to Enable or Disable Login Password Reset capability for Login Security Stealth Mode. See the BulletProof Security Login Security & Monitoring Features section for additional features and options.

Idle Session Logout (ISL) (Security|Performance|Optimization)

View BulletProof Security Feature Details

Automatically logout idle/inactive Users. ISL uses javascript Event Listeners to monitor Users activity for these ISL events: keyboard key is pressed, mouse button is pressed, mouse is moved, mouse wheel is rolled up or down, finger is placed on the touch surface/screen and finger already placed on the screen is moved across the screen. Option Settings: Turn On|Off, Idle Session Logout Time in Minutes, Idle Session Logout Page URL, Idle Session Logout Page Login URL, Idle Session Logout Page Custom Message, Idle Session Logout Page Custom CSS Style, User Account Exceptions, Enable|Disable Idle Session Logouts For These User Roles: Administrator, Editor, Author, Contributor, Subscriber, Enable|Disable Idle Session Logouts For TinyMCE Editors. See the BulletProof Security Idle Session Logout (ISL) Features section for additional features and options info.

Auth Cookie Expiration (ACE) (Security|Performance|Optimization)

View BulletProof Security Feature Details

Change the WordPress Authentication Cookie Expiration time. The default WordPress Authentication Cookie Expiration time is 2880 Minutes/2 Days and 20160 Minutes/14 Days if a User checks the Remember Me checkbox when they login. You can change the WordPress Authentication Cookie Expiration time to whatever expiration time setting that you choose. Option Settings: Turn On|Off, Auth Cookie Expiration Time in Minutes, Remember Me Auth Cookie Expiration Time in Minutes, User Account Exceptions, Enable|Disable Auth Cookie Expiration Time For These User Roles: Administrator, Editor, Author, Contributor, Subscriber. See the BulletProof Security Auth Cookie Expiration (ACE) Features section for additional features and options info.

DB Backup: Database Backup Website Security (Security|Backup)

View BulletProof Security Feature Details

DB Backup: Create manual and scheduled Backup Jobs. Selective database table backup and full database backup. Scheduled backup job options: Hourly, Daily, Weekly and Monthly. Send scheduled backup zip file via email or just send email only, automatically delete old backup files after a certain period of time, etc., etc., etc. All DB Backup options/settings and default setup is done automatically during upgrades and new installations. See the BulletProof Security DB Backup|Database Backup Features section for additional features and options.

FrontEnd|BackEnd Maintenance Mode (Security|Development)

View BulletProof Security Feature Details

Display a website under maintenance page with Countdown Timer to website visitors while the website displays and functions normally for you. When the Countdown Timer has completed (reached 0) an email reminder is sent to you to remind you that the Countdown Timer has completed. The new BPS Maintenance Mode design includes 20 background images, 15 center images (text box image), allows you to embed image files and YouTube videos, FrontEnd Maintenance Mode, BackEnd Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes and most importantly is fast and simple to use so that you can switch in and out of Maintenance mode quickly and easily. FrontEnd Maintenance mode is primarily designed for development/maintenance purposes and BackEnd Maintenance Mode is technically a security feature since enabling BackEnd Maintenance Mode allows you to deny access to the /wp-admin folder/WP Dashboard by IP address. See the BulletProof Security FrontEnd|BackEnd Maintenance Mode Features section for additional features and options.

Translations

  • Language Packs: Translate BulletProof Security
  • Bonus Tip: If you use the Google Chrome Browser you can right mouse click in plugin pages and then click on Translate to... To translate plugin text into your Language.

BulletProof Security Bonus Custom Code

Author AITpro | Edward Alexander
Profile
Contributors AITpro
Tags 400, 401, 403, 404, 405, 410, 503, antivirus, apache, attack, Auth Cookie, authenticate, authentication, authentication cookie, author, author id, auto logout, automatic, back up, backdoor, backups, ban, banned, base64, block, blocked, bot, brute force, bruteforce, bulletproof, chmod, code, coming soon, cookie, cookie expiration, crack, cracking, CRLF, CSRF, database backup, database table prefix, db backup, db table backup, db table prefix, DDoS, developer, development, directory traversal, DoS, dump, empty plugin, encode, enumeration, error log, event listener, expire, exploit, exploitation, file inclusion, firewall, hack, hackers, hidden file, hidden plugin, htaccess, HTTP log, idle, idle logout, idle session, idle time, idle user, inactive, inactive logout, inactive session, inactive time, inactive user, infect, infected, infection, injection, lfi, linux, litespeed, lock, log, log off, logging, login, login alerts, login security, maintenance, maintenance mode, malicious, malware, multisite, mysql, mysql backup, network, offline, Optimization, optimize, path traversal, performance, permissions, Pingback, plugin, prevent, prevention, privacy, private, protection, remember me, rfi, safe, safety, schedule backup, script, secure, security, security log, session, signout, spam, spammers, speed boost, speed increase, SQL Injection, system info, system information, timeout, trackback, unavailable, under construction, user account, user role, user-id, username, users, virus, viruses, vulnerability, vulnerable, website backup, website security, windows, wordpress backup, wordpress security, xml rpc, xmlrpc, xss
  1. bulletproof-security screenshot 1

    BulletProof Security - Setup Wizard

  2. bulletproof-security screenshot 2

    BulletProof Security - Security Log

  3. bulletproof-security screenshot 3

    BulletProof Security - htaccess Core Security Modes

  4. bulletproof-security screenshot 4

    BulletProof Security - System Info

  5. bulletproof-security screenshot 5

    BulletProof Security - Login Security and Monitoring

  6. bulletproof-security screenshot 6

    BulletProof Security - Idle Session Logout (ISL)|Auth Cookie Expiration (ACE)

  7. bulletproof-security screenshot 7

    BulletProof Security - DB Backup

  8. bulletproof-security screenshot 8

    BulletProof Security - Maintenance Mode

  9. bulletproof-security screenshot 9

    BulletProof Security - Maintenance Mode examples

  • Automated Setup Steps
  1. Click the Setup Wizard button.
  2. Note: Bonus Custom Code is completely optional. If you do not want to add any Bonus Custom Code click the Dismiss All link.
  • Optional Features:
  1. Idle Session Logout (ISL)
  2. Auth Cookie Expiration (ACE)
  3. DB Table Prefix Changer
  4. Maintenance Mode
  5. UI|UX|Theme Skin|Processing Spinner|ScrollTop Animation|WP Toolbar|Script Style Loader Filter (SLF)
  • Uninstall Options
  1. An Uninstall Options link is located on the WordPress Plugins page under the BulletProof Security plugin.
  2. Clicking the Uninstall Options link loads a jQuery UI Dialog Form with 2 uninstall options.
  3. If you are upgrading to BPS Pro, select the BPS Pro Upgrade Uninstall option and click the Save Option button or just click the Close button and do a normal plugin uninstall.
  4. If you want to completely delete the BPS plugin, all files, Custom Code and BPS database settings, select the Complete BPS Plugin Uninstall option, click the Save Option button, click the Close button and do a normal plugin uninstall.
  • Manual Setup Steps

  • htaccess Core htaccess Files Setup Steps

  1. Click the Root Folder BulletProof Mode Activate button on the Security Modes page.
  2. Click the wp-admin Folder BulletProof Mode Activate button on the Security Modes page.
  3. Turn On the Hidden Plugin Folders|Files Cron (HPF) by clicking the Save HPF Cron Options button.
  4. Click the Master htaccess Folder BulletProof Mode Activate button.
  5. Click the BPS Backup Folder BulletProof Mode Activate button.
  • Login Security & Monitoring Setup Steps
  1. Click the Login Security & Monitoring Save Options button to use & save the BPS default Login Security settings or choose your own settings.
  2. Click the Login Security: Send Login Security Email Alert When... Save Options button to use and save BPS default Email Alerts and Log File settings or choose your own settings.
  • Idle Session Logout (ISL) Setup Steps
  1. Choose the ISL option settings you want to use.
  2. Click the Save Options button.
  • Auth Cookie Expiration (ACE) Setup Steps
  1. Choose the ACE option settings you want to use.
  2. Click the Save Options button.
  • DB Backup & Security Setup Steps
  1. Click the Create Backup Jobs accordion tab.
  2. Enter a Description|Backup Job Name and select the Form option choices that you want.
  3. Click the Create Backup Job|Save Settings button to save your Form option choices and create your Backup Job.
  4. Click the Backup Jobs - Manual|Scheduled accordion tab, click on the Run checkbox for the Backup Job that you want to run and click the Run Job|Delete Job button.
  5. Your Backup files are displayed under the Backup Files - Download|Delete accordion tab.
  6. You can Download Backup files to your computer by clicking the Download link for that Backup file.
  7. You can delete Backup files by clicking the checkbox for the Backup file that you want to delete and then click the Delete Files button.
  • Maintenance Mode Usage: Display an Under Maintenance page
  1. Choose the Maintenance Mode settings you want to use.
  2. Use one of the BPS pre-created Background Images & Center Images or create your own unique Under Maintenance page.
  3. Click the Save Options button.
  4. Click the Preview button.
  5. Click the Turn On button.
  • UI|UX Settings
  1. Select and Save a Theme Skin.
  2. Turn On|Off The Inpage Status Display.
  3. Turn On|Off The Processing Spinner.
  4. Turn On|Off jQuery ScrollTop Animation.
  5. Choose WP Toolbar Functionality In BPS Plugin Pages.
  6. Choose On|Off for Script|Style Loader Filter (SLF) In BPS Plugin Pages.
  7. BPS UI|UX Debug: Turn On for debugging.

Where can I find BulletProof Security additional troubleshooting steps & support?

Please see the BulletProof Security Forum.

BulletProof Security Compatible Hosting|Host Server|WordPress Site Types

  • Types: Shared, VPS, Dedicated, Managed, Colocation, In-house
  • Types: Apache, Linux, Nginx, LiteSpeed, Windows (Windows IIS)
  • Types: Standard|Single, Network|Multisite, "Giving WordPress Its Own Directory" (GWIOD), BuddyPress|bbPress, subdomain, subdirectory, HTTPS/SSL
  • Note: The Setup Wizard Pre-Installation Check displays compatibility information.
  • Note: The Setup Wizard Pre-Installation Check tests if htaccess files can or cannot be used on your website and will automatically disable BPS htaccess features and files if your server/website cannot use htaccess files. You will see the "htaccess Files Disabled Notice" on the Setup Wizard page with a link to a Help Forum Topic.
  • Note: BulletProof Security works on all web hosts except for these 3 web hosts: Incompatible Hosts.

Can BulletProof Security be Network Activated on Network|Multisite Sites?

The BulletProof Security plugin can be Network Activated or you can allow BulletProof Security to be activated individually on each Network/Multisite subsite or of course you can choose not to Network Activate BulletProof Security or allow the BPS plugin on subsites. Super Admins will see BPS Dashboard Alerts and other Status displays on the Primary Site only. Administrators can activate or deactivate BulletProof Security on subsites if you allow this on your Network/Multisite website. The BPS Primary Site Menus will display all BPS menus. The BPS Subsite Menus will display: Login Security, Maintenance Mode, System Info & UI|UX Theme Skin menus. All BulletProof Security features are not available on subsites since Network/Multisite subsites are virtual and do not have physical website folders. All BulletProof Security features work sitewide and affect all other virtual subsites. Login Security and Maintenance Mode work independently on each subsite.

  • Login Security works individually for each specific subsite. Login Security has all the same functionality on Network/Multisite subsites with these exceptions: Login Security email alerting is not available for subsites.
  • Maintenance Mode works individually for each specific subsite. MMode has all the same functionality on Network/Multisite subsites with these exceptions: BackEnd Maintenance is not available on subsites & these Primary site options are not available on subsites: Put The Primary Site And All Subsites In Maintenance Mode & Put All Subsites In Maintenance Mode, But Not The Primary Site.
  • System Info has all the same functionality on Network/Multisite subsites with these exceptions: MySQL Database information is not displayed on subsites.
  • BulletProof Security also works with Network/Multisite Domain Mapping.

Does BulletProof Security Have Built-in Troubleshooting|Diagnostic|Logging|Whitelisting Capability?

Yes. Troubleshooting|Diagnostic|Logging|Whitelisting is built-in to BulletProof Security. The Setup Wizard performs Pre-Installation Checks to check for any pre-existing issues that could cause any issues or problems and displays exactly what needs to be done to fix the issue. The primary troubleshooting feature in BulletProof Security is the BPS Security Log. The primary whitelisting feature in BulletProof Security is BPS Custom Code. The BPS Security Log logs blocked hackers, spammers, bad bots, etc. and also logs anything else that is blocked by BPS. If something legitimate is being blocked in another plugin or theme that needs to be allowed/whitelisted then the BPS Security Log entry will contain all the information about what exactly is being blocked so that a whitelist rule can then be created in BPS Custom Code. The BPS Security Log also logs all other 403 errors that occur on your website whether or not they are related to or caused by BPS. Turning Off BPS Security Logging will allow your server to handle error logging and display your server error message instead of BPS displaying the standard 403 template file error message. This is also considered a troubleshooting method to determine if an error is actually coming from your server and not the BPS plugin.

I am seeing Security Log entries in my BulletProof Security Log. What do they mean?

Your Security Log will log 400, 403, 405, 410 and 404 (requires copying the BPS 404 logging code to your Theme's 404.php Template) Errors. The Security Log logs all 400, 403, 405 and 410 HTTP Response Status Codes by default. You can also log 404 HTTP Response Status Codes by opening this BPS 404 Template file - /bulletproof-security/404.php and copying the logging code into your Theme's 404 Template file. When you open the BPS 404.php file you will see simple instructions on how to add the 404 logging code to your Theme's 404 Template file. 99.99% of what is logged in the Security Log is blocked hackers, spammers, bad bots, scrapers, miners, etc. The Security Log is also a troubleshooting tool. If BPS is blocking something legitimate in another plugin or theme then exactly what is being blocked in another plugin or theme by BPS will be logged in the Security Log. A whitelist rule can be created to allow anything legitmate that is being blocked in another plugin or theme.

HTTP Status Codes (Internet Standard)

  • 400 Bad Request - The request could not be understood by the Server due to malformed syntax.
  • 401 Unauthorized - The request requires user authentication. By default BPS redirects Auth Requests to the correct URI to avoid 404 errors.
  • 403 Forbidden - The Server understood the request, but is refusing to fulfill it.
  • 404 Not Found - The Server has not found anything matching the Request-URI/URL. No indication is given to whether the condition is temporary or permanent.
  • 405 Method Not Allowed - The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource. BPS blocks HEAD Requests using a 405 ErrorDocument Redirect. The BPS 405 Template has an Allow header field for the GET, POST and PUT HTTP Methods.
  • 410 Gone - The requested resource is no longer available at the Server/site and no forwarding address is known. This condition is expected to be considered permanent.
  • 503 Service Unavailable - The Server/site is temporarily performing maintenance. Used in BPS MMode with Retry-After header to indicate when the Server/site will be available again.

Will BulletProof Security or .htaccess files or .htaccess code cause my website to run slower?

No. BulletProof Security or .htaccess files/code in general will not cause a website to run slower. BulletProof Security is website performance optimized and uses very little/low website resources and very little Server memory. BulletProof Security uses a finite number of security rules/filters/code in all .htaccess files. Note: Both W3 Total Cache and WP Super Cache use .htaccess code to speed up website performance.

Can BulletProof Security speed up my website and make it run faster?

Yes. BulletProof security can speed up your website and make it run faster if you use the BPS Speed Boost Cache Code and add it to BPS Custom Code.

Do I need to understand .htaccess code in order to use BulletProof Security?

No. We use a paint by numbers approach, have extensive documented help and fixes on our Forum site and provide exact steps to perform any tasks that need to be done such as adding whitelist rules or other custom code. ie do Step 1, Step 2, Step 3. BPS creates customized .htaccess files for your website by either running the Setup Wizard or clicking the BulletProof Modes Activate buttons. You do not need to know anything about .htaccess website security files or code in order to use the BulletProof Security plugin. Extensive help information can be found in the Read Me help buttons in BPS. The Help & FAQ tab pages in BulletProof Security contain links to BulletProof Security Forum help topics and video tutorials. The process of adding Custom Code or adding whitelisting rules is automated - See the Custom Code Read Me help button for Custom Code steps.

Are there any known issues or conflicts with other WordPress Plugins or Themes?

Occasionally issues or conflicts do occur with other plugins, but they are always quickly resolved. BulletProof Security is compatible with all other Plugins and Themes. If BulletProof Security is blocking something legitimate in another plugin or theme a whitelist rule can be created in BPS Custom Code to allow/whitelist whatever was being blocked by BPS. Please check the BulletProof Security Plugin Compatibility page for the steps to search for documented plugin or theme whitelist rules.

How do the BulletProof Security Plugin htaccess Core (Firewalls) work?

The BulletProof Security Plugin allows you to create and activate .htaccess website security with one-click (literally if the BPS Setup Wizard is run) (figuratively if you are using BPS manual controls) for your website without having to know anything about .htaccess files. The Master .htaccess files are pre-made and BPS writes additional .htaccess code that is customized to each specific website when you run the Setup Wizard or if you use the Manual Controls. There is nothing to figure out or to configure. Either run the Setup Wizard or use the Manual Setup Controls: BulletProof Modes Activate buttons. BPS has built-in Backup and Restore and an .htaccess File Editor for full manual editing control as well. BPS Custom Code allows you to add additional custom .htaccess code or BPS Bonus Custom Code and save it permanently so that your saved code is added/created in your htaccess files.

How does BulletProof Security Plugin Login Security & Monitoring work?

BulletProof Security Login Security & Monitoring allows you to choose whether you want to Log All User Account Logins or Log Only User Account Lockouts. The Dynamic DB Logging Form has 3 checkbox options: Lock, Unlock or Delete database rows. The Login Security database table is hooked into the WordPress Users database table, but they are 2 completely separate database tables. If you lock a User Account then BPS will enforce that lock on that User Account and the User will not be able to log in. If you unlock a User Account then the User will be able to login. Deleting database rows in the Login Security database table does NOT delete the User Account from the WordPress Users database table. When you delete a User Account it is pretty much the same thing as unlocking a User Account. To delete actual User Accounts you would go to the WordPress Users page and delete that User Account.

What to do if your User Account is locked by Login Security out and you are unable to login?

Use FTP or your web host control panel file manager and rename the /bulletproof-security/ plugin folder name to /_bulletproof-security and login to your website. After logging into your website, rename the /_bulletproof-security/ plugin folder name back to /bulletproof-security/. Unlock your User Account on the BPS Login Security and Monitoring page.

What to do if you cannot log back into my website due to an htaccess file/code problem?

If you accidentally added additional invalid custom htaccess code to BPS Custom Code or your web host does not allow you to lock your root .htaccess file and your htaccess file was locked: Use FTP or your Web Host Control Panel File Manager and delete the .htaccess files that BPS creates in your website root folder and your wp-admin folder. Deleting the .htaccess files in your website root folder & wp-admin folder will allow you to log back in to your website. If your web host does not allow locking the root .htaccess file then go to htaccess File Editor tab page and click the Turn Off AutoLock button. Either run the Setup Wizard again or click the BulletProof Modes Activate buttons again. If the problem was caused by invalid custom htaccess code added to BPS Custom Code then remove/delete the invalid custom htaccess code from BPS Custom Code before activating BulletProof Modes again.

What to do if you cannot log back into my website due to an Idle Session Logout (ISL) problem?

If you accidentally lock yourself out of your site then use FTP or your web host control panel file manager and edit the /bulletproof-security/bulletproof-security.php file and change: if ( $BPS_ISL_options['bps_isl'] == 'On' ) { to: if ( $BPS_ISL_options['bps_isl'] == '0' ) { (you are changing the value from "On" to "0"). Log into your site, go to the ISL page and change/fix your ISL settings.

Do Idle Session Logout (ISL) or Auth Cookie Expiration (ACE) affect all website visitors to your website?

The Idle Session Logout (ISL) javascript code is only loaded if a User is logged into your website (depends on your ISL option settings for User Accounts/Roles) and is specific to only that User's Browser/Client Browser and Login Session. Auth Cookie Expiration (ACE) is a WordPress Authentication Cookie that is set when a User logs into your website. Visitors that visit your website that are not logged into your website are not affected in any way by ISL or ACE.

Can the Idle Session Logout Time be changed while Users are logged in or after a User has already logged in?

Yes. ISL is Client Browser based and the Idle Session Logout Time is a variable that has a value that can be changed "on the fly". Example: If UserA and UserB login to your site and the Idle Session Logout Time was 60 minutes when they logged in and you change the Idle Session Logout Time to 1 minute while UserA and UserB are logged into your site then UserA and UserB and all other Users that are logged into your site (depending on your ISL option settings) will be automatically logged out after being idle/inactive for 1 minute.

Can the Auth Cookie Expiration Time be changed while Users are logged in or after a User has already logged in?

Yes and No. Yes, you can change the Auth Cookie Expiration Time option setting for all Users (depending on your ACE option settings), but the WordPress Authentication Cookie Expiration time is set when Users log into your site and cannot be changed "on the fly". So if you change the Auth Cookie Expiration Time while UserA and UserB are already logged into your site then the new Auth Cookie Expiration Time that you choose will not take effect until after UserA and UserB logout and log back into your site. The WordPress Authentication Cookie Expiration time can only be set/reset at login. This is the default functionality of the WordPress Authentication Cookie.

How does BulletProof Security FrontEnd|BackEnd Maintenance Mode work?

FrontEnd Maintenance Mode creates template files based on the options you choose and save. When you Turn On Maintenance Mode those template files are copied to the root directory of your website. When you Turn Off Maintenance Mode those template files are deleted from the root directory of your website. Maintenance Mode works by allowing the IP addresses that you enter & save to view the site normally. All other IP addresses will see the Maintenance Mode template page. BackEnd Maintenance Mode writes directly to your wp-admin .htaccess file and adds a deny all block of .htaccess code with the IP addresses the you enter & save when you enable BackEnd Maintenance Mode. When you disable/uncheck BackEnd Maintenance Mode that deny all block of .htaccess code is removed/deleted from your wp-admin .htaccess file. For more extensive help info or CSS Code, Image & Video Embed examples to add in the Maintenance Mode Text, CSS Style Code, Images, Videos Displayed To Website Visitors text area click this Maintenance Mode Guide Forum Topic link: Maintenance Mode Guide.

BPS Alert! Your site does not appear to be protected by BulletProof Security. What does the Alert mean?

The alert means that the currently active root htaccess file that is in use on your website does not contain BPS htaccess security code. You can either run the Setup Wizard again or go to the htaccess Core Security Modes page and click the Root Folder BulletProof Mode Activate button.

Can I add my own .htaccess code to the BulletProof Security .htaccess files?

Yes. Add any additional custom htaccess security code to BulletProof Security Custom Code. Your custom .htaccess code will be saved permanently or until you delete it. Please view the Read Me Help button in Custom Code for specific details and Custom Code setup steps.

Does BulletProof Security automatically create or write .htaccess files?

Yes. BulletProof Security automatically creates customized .htaccess website security files for your specific website with either the Setup Wizard or the manually by clicking the BulletProof Modes Activate buttons on the htaccess Core Security Modes page. BulletProof Security also offers full manual control of editing .htaccess files using the built-in .htaccess File Editor. The BPS Master .htaccess files are pre-made. When you run the Setup Wizard or click the BulletProof Modes Activate buttons your .htaccess Master files are created with specific code for your specific website. You can add additional code to BPS Custom Code or edit the .htaccess files directly or create completely new .htaccess master files from within the WordPress Dashboard using the built-in BPS File Editor or Custom Code - no FTP required - no Web Host Control Panel required. Automation is great, but also having full manual editing control makes BulletProof Security very versatile.

Security Log File Automation - Automatically Zipped, Emailed and Replaced

Security Log files are automatically zipped, emailed and replaced with a new blank Security Log file when the log file reaches the maximum file size setting that you choose. By Default BulletProof Security sets this DB option to zip, email and replace the Security Log file when it reaches 500KB. The Security Log file is checked once per hour with a WordPress Cron. The optimum recommended file size setting is 500KB.

DB Backup Log File Automation - Automatically Zipped, Emailed and Replaced

DB Backup Log files are automatically zipped, emailed and replaced with a new blank DB Backup Log file when the log file reaches the maximum file size setting that you choose. By Default BulletProof Security sets this DB option to zip, email and replace the Security Log file when it reaches 500KB. The DB Backup Log file is checked once per hour with a WordPress Cron. The optimum recommended file size setting is 500KB.

BulletProof Security Fast and Simple with No Manual Configuration or FTP Required

The BulletProof Security WordPress plugin is a one-click security solution that creates, copies, renames, moves or writes to the provided BulletProof Security .htaccess master files. BulletProof Security protects both your Root website folder and wp-admin folder with .htaccess website security protection, as well as providing other additional website security protection. BulletProof Security allows you to add .htaccess website security protection from within the WordPress Dashboard so that you do not have to access your website via FTP or your Web Host Control Panel in order to add website security protection for your WordPress site.

What to do if Hidden Plugin Folders|Files Cron (HPF) detects a hidden plugin folder or file

If a hidden or empty plugin folder is detected or a non-standard WP file is detected then you would use FTP to check the folder or file. If the folder or file contains hacker code or is a hidden plugin or is a non-standard WP file then make a copy of it and delete it. If the plugin folder is just an empty plugin folder then delete it. If you recognize the folder or file you can use the Ignore Hidden Plugin Folders & Files textarea box option to ignore/not check this folder or file.

Does BulletProof Security work with Git distributed version control system?

Yes. BulletProof Security works with Git, but does require some additional set up steps. Please see this thread for the setup steps Git distributed version control system setup steps

Help Info

Extensive Help Info can be found on the AIT-pro.com Forum website and by clicking the Read Me Help buttons on BulletProof Security pages themselves. The BPS Help and FAQ tab pages contain additional help links.

BulletProof Security htaccess Core (Firewalls, etc.) Features

  • Root Folder BulletProof Mode|Firewall
  • wp-admin Folder BulletProof Mode|Firewall
  • Built-in .htaccess File Editor & File Manager
  • Built-in .htaccess Backup and Restore
  • One-click .htaccess website security protection from within the WP Dashboard
  • .htaccess security protection against hacking attempts: XSS|RFI|CRLF|CSRF|Base64|Code Injection|SQL Injection
  • TimThumb Vulnerability|Exploit .htaccess security protection (Firewall)
  • .htaccess Lock|Unlock (404 Read-Only)
  • .htaccess AutoLock On|Off
  • Security|HTTP Error Logging: 400|403|404|405|410 HTTP Status Codes
  • Security Log: Add|Remove User Agents|Bots to Ignore|Not Log or Allow|Log
  • Security Log: Turn On|Turn Off|Delete Log
  • Security Log Automation: Automatically zipped, emailed and replaced based on file size
  • Automatic .htaccess file updating on BPS upgrade installation
  • New .htaccess security filters automatically added during upgrade
  • WP Dashboard Alerts|WP Dashboard Dismiss Notices
  • Anti Comment Spam .htaccess code - works together with Akismet or other Spam plugins to keep Comment Spam at a minimum
  • Anti Comment Spambot .htaccess code - Forbid Empty Referrer Spambots
  • Author ID|User ID|Username Bot Probe Protection
  • Custom Code feature: Add|Edit|Modify|Save|Export|Import additional Bonus or personal custom .htaccess code
  • WordPress readme.html and /wp-admin/install.php protected with .htaccess security protection
  • wp-config.php and bb-config.php files protected with .htaccess security protection
  • php.ini and php5.ini files protected with .htaccess security protection
  • WordPress database errors turned off - Verification and function insurance
  • WordPress version is not displayed/not shown - WordPress version is removed
  • WP Generator Meta Tag filtered|not displayed|not shown
  • WP DB default admin username|account check
  • System Info: PHP|MySQL|OS|Server|Memory Usage|IP|SAPI|WP Filesystem API Method|DNS|Apache Modules|Directives Compatibility Checks|Max Upload|Zend Engine Version|Zend Guard|Loader|Optimizer|ionCube Loader|Suhosin|APC|eAccelerator|XCache|Varnish|cURL|Memcache|Memcached|Plugins|Versions Installed|Activated|Get Plugins List|Browser Compression|GD Library|ImageMagick|OpenSSL
  • File and Folder Permission Checking: CGI|DSO|SAPI check|display
  • Help & FAQ page: links to BPS Guide and other detailed Help & Info pages
  • Extensive jQuery Dialog Read Me Help buttons throughout the BulletProof Security plugin pages
  • HUD Success|Error message display
  • i18n Language Translation coding

BulletProof Security Hidden Plugin Folders|Files Cron (HPF)

  • A hidden or empty plugin folder is a plugin the exists in your /plugins/ folder, but is not displayed on the WordPress Plugins page. A hidden plugin can be used as a hacker backdoor to gain access to your WP Dashboard, hosting account, create user accounts, completely control your website and hosting account, etc. A non-standard WP file or modified/altered file in your /plugins/ folder can also do all of the things a hidden plugin can do.
  • Automated Cron check that checks the WordPress /plugins folder for hidden plugins or non-standard WP file
  • Displays Dashboard Alerts
  • Sends Email Alerts
  • HPF Cron Check Frequency settings: 1, 5, 10, 15, 30 or 60 minutes
  • HPF Cron On|Off: Turn the HPF Cron On or Off
  • Ignore Hidden Plugin Folders & Files: Whitelisting tool to ignore plugin folders or non-standard WP files
  • HPF is automatically setup during BPS Upgrades or when running the BPS Setup Wizard

BulletProof Security Login Security & Monitoring Features

  • Brute Force Login Security Protection
  • Log All User Account Logins or Log Only User Account Lockouts
  • Logged DB Fields: User ID|Username|Display Name|Email|Role|Login Time|Lockout Expires|IP Address|Hostname|Request URI
  • Email Alerting Options: User Account is locked out|An Administrator Logs in|An Administrator Logs in and when a User Account is locked out|Any User logs in and when a User Account is locked out|Do Not Send Email Alerts
  • Login Security Additional Options: Max Login Attempts|Automatic Lockout Time|Manual Lockout Time|Max DB Rows To Show|Turn On|Turn Off
  • Login Security Stealth Mode: Standard WP Error Messages or Generic Error Messages.
  • Login Security Attempts Remaining: Display a "Login Attempts Remaining X" message when an incorrect password is entered.
  • Login Security Stealth Mode: Enable or Disable Login Password Reset capability and links.
  • Dynamic DB Form: Lock|Unlock|Delete
  • Enhanced Search: Allows you to search all of the Login Security database rows/Fields
  • Click the Login Security Read Me help button for full descriptions of all features and options.

BulletProof Security Idle Session Logout (ISL) Features

  • Turn On|Turn Off: ISL is Turned Off by default. Select Turn On ISL to turn ISL On.
  • Idle Session Logout Time in Minutes: Time in minutes for when an idle/inactive User should be logged out of your site.
  • Idle Session Logout Page URL: Defaults to BPS ISL Logout page URL or choose to redirect logged out users to any URL that you want to redirect them to.
  • Idle Session Logout Page Login URL: Displays a clickable Login URL/link to your WP Login page or you can choose not to display a Login URL/link.
  • Idle Session Logout Page Custom Message: Use the default BPS ISL message/text or you can create your own custom ISL message/text.
  • Idle Session Logout Page Custom CSS Style: Use the default BPS CSS Style code or enter your own custom CSS Style customizations.
  • User Account Exceptions: Disable ISL by User Account names. User Account Exceptions override the User Roles option setting.
  • Enable|Disable Idle Session Logouts For These User Roles: Enable ISL for Users by User Role: Administrator, Editor, Author, Contributor and Subscriber.
  • Enable|Disable Idle Session Logouts For TinyMCE Editors: Disable ISL for any/all pages that have a TinyMCE Editor on them.

BulletProof Security Auth Cookie Expiration (ACE) Features

  • Turn On|Turn Off: ACE is Turned Off by default. Select Turn On ACE to turn ACE On.
  • Auth Cookie Expiration Time in Minutes: Time in minutes for when a User should be logged out of your site.
  • Remember Me Auth Cookie Expiration Time in Minutes: Time in minutes for when a User should be logged out of your site when the User has checked the Remember Me checkbox.
  • User Account Exceptions: Disable ACE by User Account names. User Account Exceptions override the User Roles option setting.
  • Enable|Disable Auth Cookie Expiration Time For These User Roles: Enable ACE for Users by User Role: Administrator, Editor, Author, Contributor and Subscriber.

BulletProof Security DB Backup|Database Backup Features

  • Manual or scheduled database backups
  • Scheduled backup job options: Hourly, Daily, Weekly and Monthly
  • Send scheduled backup zip file via email or just send email only
  • Selective database table backup and full database backup
  • Automatically deletion of old backup files after a certain period of time
  • Backup Jobs - Manual|Scheduled Accordion Tab
  • Displays the Description|Job Name, Delete and Run Checkboxes, Job Type, Frequency, Last Backup, Next Backup, Email Backup and Job Created table columns.
  • Backup Files - Download|Delete Accordion Tab
  • Displays the Backup Filename, Delete Checkbox, Download Links, Backup Folder, Size and Date|Time table columns.
  • Create Backup Jobs Accordion Tab
  • Displays a dynamic DB Table Name checkbox form, Description|Backup Job Name, DB Backup Folder Location (default Obfuscated & Secure BPS Backup Folder location), DB Backup File Download Link|URL, Backup Job Type: Manual or Scheduled, Frequency of Scheduled Backup Job (recurring - Hourly, Daily, Weekly or Monthly), Hour When Scheduled Backup is Run (recurring - start time for a scheduled backup job), Day of Week When Scheduled Backup is Run (recurring - weekday day), Day of Month When Scheduled Backup is Run (recurring - day of the month), Send Scheduled Backup Zip File Via Email or Just Email Only - email zip backup file, do not email backup zip file, email and delete zip backup file or just send an email, Automatically Delete Old Backup Files (Never delete old backup files, delete backup files older than 1 day, 5 days, 10 days, 15 days, 30 days, 60 days, 90 days or 180 days), - Turn On|Off All Scheduled Backups (override - turn on all scheduled backups or turn off all scheduled backups).
  • Rename|Create|Reset Tool: Rename|Create|Reset DB Backup Folder Name
  • DB Backup Logging
  • Depending on your DB Backup settings, log entries will be logged anytime you run a Manual Backup Job or whenever a Scheduled Cron Backup Job is run. The Backup Job Completion Time, Zip Backup File Name, timestamp and other information is logged. If you have chosen the option to automatically delete old zip backup files then the zip backup file name and timestamp will be logged when old zip backup files are automatically deleted. When you create a new Backup Job your Backup Job Settings are logged/saved in the DB Backup Log.
  • DB Backup Log Automation: Automatically zipped, emailed and replaced based on file size
  • Click the DB Backup Read Me help button for full descriptions of all features and options.

BulletProof Security FrontEnd|BackEnd Maintenance Mode Features

  • FrontEnd Maintenance Mode|BackEnd Maintenance Mode or both FrontEnd & BackEnd Maintenance Modes
  • Website displays & functions normally while visitors see a website under maintenance page
  • TinyMCE WYSIWYG Editor - Create Customizable Website Under Maintenance page
  • Embed image files and YouTube videos
  • 20 background images|15 center images (text box image)|Roll Your Own Design|Under Maintenance Page
  • Background image files/options and Center images (text box image) are independent of each other so that you can mix and match different background images with different Center images (text box image)
  • Enable Countdown Timer
  • Countdown Timer Text Color
  • Maintenance Mode Time in Minutes
  • Header Retry-After in Minutes ~ 503 HTTP Status Code
  • Enable FrontEnd Maintenance Mode ~ site development, maintenance, coming soon, under construction, etc.
  • Enable BackEnd Maintenance Mode ~ Deny All IP address .htaccess protection for the wp-admin folder/WP Dashboard
  • Maintenance Mode IP Address Whitelist Text Box: Enter The IP Addresses That Can View The Website Normally (not in Maintenance Mode)
  • Maintenance Mode Text|Images|Videos Displayed To Website Visitors
  • Background Images: 20 background images ~ mix and match with center images ~ see screenshot
  • Center Images: 15 center images ~ mix and match with background images ~ see screenshot
  • Background Colors (If not using a Background Image)
  • Display Visitor IP Address
  • Display Admin|Login Link
  • Enable Visitor Logging
  • Display Dashboard Reminder Message when site is in Maintenance Mode
  • Send Email Reminder when Maintenance Mode Countdown Timer has completed
  • Email: To|From|cc|bcc
  • Network|Multisite Primary Site Options ONLY
  • Put The Primary Site And All Subsites In Maintenance Mode
  • Put All Subsites In Maintenance Mode, But Not The Primary Site
  • Click the Maintenance Mode Read Me help button for full descriptions of all features and options.
Share  
Download
Version .54

Requires WordPress version: 3.7 or higher

Compatible up to: 4.6

Last Updated 26 Jul 2016

Date Added: 29 Apr 2010

Plugin Homepage

Evaluation
star1
star2
star3
star4
star5

4.7 stars
279 ratings
2,104,647 downloads

Compatibility

Not Enough Data

Reports:
Works: 0
Broken: 0

Probably Works.
Considering downloads, would expect problems reported.